Closed
Bug 1141052
Opened 9 years ago
Closed 9 years ago
SelfSupportBackend.jsm should only allow https URLs in browser.selfsupport.url
Categories
(Firefox :: General, defect)
Firefox
General
Tracking
()
RESOLVED
FIXED
Firefox 40
Tracking | Status | |
---|---|---|
firefox40 | --- | fixed |
People
(Reporter: Gavin, Assigned: Dexter)
References
Details
Attachments
(3 files, 3 obsolete files)
3.05 KB,
patch
|
Dexter
:
review+
|
Details | Diff | Splinter Review |
5.71 KB,
patch
|
Dexter
:
review+
|
Details | Diff | Splinter Review |
2.12 KB,
patch
|
Dexter
:
review+
|
Details | Diff | Splinter Review |
It's generally not safe to allow using an http:// page for self-support, so we should add code to only allow loading https URIs. This will also require changing the dummy URLs used in Talos (similar bug 1138823) and in addon-sdk/source/python-lib/cuddlefish/prefs.py and addon-sdk/source/test/preferences/no-connections.json.
Assignee | ||
Comment 1•9 years ago
|
||
Thanks for reporting this. It's on my radar and I'll be working on it asap :)
Assignee | ||
Comment 2•9 years ago
|
||
This patch makes SelfSupport backend report an error if the self support URL is not using HTTPS. It also changes tests accordingly.
Attachment #8575221 -
Flags: review?(gfritzsche)
Comment 3•9 years ago
|
||
Comment on attachment 8575221 [details] [diff] [review] bug141052.patch Review of attachment 8575221 [details] [diff] [review]: ----------------------------------------------------------------- What about convenient local testing or developing without https? For other components we allow overrides with a hidden pref (with no default value).
Attachment #8575221 -
Flags: review?(gfritzsche) → review+
Reporter | ||
Comment 4•9 years ago
|
||
Prefs can be abuse, easy enough to modify the relevant code locally for dev testing.
Assignee | ||
Comment 5•9 years ago
|
||
Assignee: nobody → alessio.placitelli
Status: NEW → ASSIGNED
Attachment #8579312 -
Flags: review?(jmaher)
Comment 6•9 years ago
|
||
Comment on attachment 8579312 [details] [diff] [review] Changes to Talos Review of attachment 8579312 [details] [diff] [review]: ----------------------------------------------------------------- you are aware this will resolve to a 404, but http vs https will still be valid :)
Attachment #8579312 -
Flags: review?(jmaher) → review+
Assignee | ||
Comment 7•9 years ago
|
||
(In reply to Joel Maher (:jmaher) from comment #6) > Comment on attachment 8579312 [details] [diff] [review] > Changes to Talos > > Review of attachment 8579312 [details] [diff] [review]: > ----------------------------------------------------------------- > > you are aware this will resolve to a 404, but http vs https will still be > valid :) Yes, but thanks for pointing that out ;-)
Assignee | ||
Comment 8•9 years ago
|
||
This patch changes addon-sdk prefs.
Attachment #8579905 -
Flags: review?(gfritzsche)
Comment 9•9 years ago
|
||
Comment on attachment 8579905 [details] [diff] [review] Changes to addon-sdk prefs Review of attachment 8579905 [details] [diff] [review]: ----------------------------------------------------------------- ::: addon-sdk/source/python-lib/cuddlefish/prefs.py @@ +59,5 @@ > 'browser.safebrowsing.updateURL': 'http://localhost/safebrowsing-dummy/update', > 'browser.safebrowsing.gethashURL': 'http://localhost/safebrowsing-dummy/gethash', > 'browser.safebrowsing.reportURL': 'http://localhost/safebrowsing-dummy/report', > 'browser.safebrowsing.malware.reportURL': 'http://localhost/safebrowsing-dummy/malwarereport', > + 'browser.selfsupport.url': 'https://localhost/repair-dummy', Better naming please, selfsupport-dummy? ::: addon-sdk/source/test/preferences/no-connections.json @@ +16,5 @@ > "browser.safebrowsing.updateURL": "http://localhost/safebrowsing-dummy/update", > "browser.safebrowsing.gethashURL": "http://localhost/safebrowsing-dummy/gethash", > "browser.safebrowsing.reportURL": "http://localhost/safebrowsing-dummy/report", > "browser.safebrowsing.malware.reportURL": "http://localhost/safebrowsing-dummy/malwarereport", > + "browser.selfsupport.url": "https://localhost/repair-dummy", Better naming please, selfsupport-dummy?
Attachment #8579905 -
Flags: review?(gfritzsche) → review+
Assignee | ||
Comment 10•9 years ago
|
||
Attachment #8579905 -
Attachment is obsolete: true
Attachment #8579969 -
Flags: review+
Assignee | ||
Comment 11•9 years ago
|
||
Fixed the failing tests on try server and updated the commit message. Try push: https://treeherder.mozilla.org/#/jobs?repo=try&revision=757a43a50e6d
Attachment #8575221 -
Attachment is obsolete: true
Attachment #8581478 -
Flags: review+
Comment 13•9 years ago
|
||
talos is updated on inbound. Please close this bug if there is nothing left to do.
Comment 14•9 years ago
|
||
and with the font taken care of we should be good!
Attachment #8579312 -
Attachment is obsolete: true
Attachment #8591717 -
Flags: review?(alessio.placitelli)
Assignee | ||
Comment 15•9 years ago
|
||
Comment on attachment 8591717 [details] [diff] [review] changes to talos preference and font Review of attachment 8591717 [details] [diff] [review]: ----------------------------------------------------------------- ::: talos/mtio-whitelist.json @@ +38,5 @@ > "{FONTS}\\RAAVI.TTF": {}, > "{FONTS}\\SEGOEUI.TTF": {}, > "{FONTS}\\SEGOEUIB.TTF": {}, > "{FONTS}\\SEGOEUII.TTF": {}, > + "{fonts}\\segoeuil.ttf": {}, The other fonts are uppercase, while this is lowercase. Is it the same? Maybe we should keep the case to be consistent with the other entries. What do you think?
Attachment #8591717 -
Flags: review?(alessio.placitelli) → review+
Comment 16•9 years ago
|
||
I had to think about that for a moment, I will fix it to be uppercase and land it!
Comment 18•9 years ago
|
||
talos is live on trunk, feel free to close this out if needed.
Assignee | ||
Comment 19•9 years ago
|
||
Thanks :jmaher! I'm marking this as checkin-needed for the other patches (bug141052.patch and Changes to addon-sdk prefs v2). Updated try push: https://treeherder.mozilla.org/#/jobs?repo=try&revision=e5cf29f62351
Keywords: checkin-needed
Comment 20•9 years ago
|
||
https://hg.mozilla.org/integration/fx-team/rev/6bd496d40fd1 https://hg.mozilla.org/integration/fx-team/rev/29d6efbac93b
Comment 21•9 years ago
|
||
https://hg.mozilla.org/integration/fx-team/rev/4ff9b0890ea7 https://hg.mozilla.org/integration/fx-team/rev/cc0dc8a81bad
https://hg.mozilla.org/mozilla-central/rev/4ff9b0890ea7 https://hg.mozilla.org/mozilla-central/rev/cc0dc8a81bad
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox40:
--- → fixed
Resolution: --- → FIXED
Whiteboard: [fixed-in-fx-team]
Target Milestone: --- → Firefox 40
Comment 23•9 years ago
|
||
Commit pushed to master at https://github.com/mozilla/addon-sdk https://github.com/mozilla/addon-sdk/commit/1ef9b052b5103cee7ca9e2a8459cff5f9479724d Bug 1141052 - Change SelfSupport test preferences to use HTTPS instead of HTTP. r=gfritzsche
You need to log in
before you can comment on or make changes to this bug.
Description
•